rust-unsafe-analyzer)rust-unsafe-analyzer is a static analysis tool that parses Rust source code (.rs files) into an Abstract Syntax Tree (AST) using syn 2.0 and locates syntactic unsafe constructs.
It is designed to enforce Fuchsia's Unsafe Rust code review requirements (described in //docs/development/languages/rust/unsafe.md) by identifying additions or modifications to unsafe Rust code and prompting authors to request an unsafe code review (+1 in Gerrit from fuchsia-rust-unsafe-reviews@google.com).
The tool is integrated into Fuchsia's presubmit and host static analysis pipeline via Shac:
//scripts/shac/rust_unsafe_analyzer.starfx host-tool shac check --only rust-unsafe-analyzer.When run under Shac (//scripts/shac/rust_unsafe_analyzer.star), the analyzer runs against affected .rs files outside third_party/. Shac filters findings by checking whether the exact line number of the unsafe keyword token (unsafe_line) is in the set of newly added or modified lines in the change (meta.new_lines()). Existing untouched unsafe code in an affected file is ignored.
Because rust-unsafe-analyzer performs a complete syntactic AST traversal, it reliably detects explicit unsafe keywords in the source code of a file across all categories.
unsafe { ... } Blocks
unsafe { // Raw pointer dereference, unsafe FFI call, or unsafe method call }
unsafe fn ... functions and methods
unsafe fn dangerous_free_func() {} impl Foo { unsafe fn dangerous_method(&self) {} } trait Bar { unsafe fn dangerous_trait_method(); }
unsafe trait ... trait definitions
unsafe trait SendSyncTrusted {}
unsafe impl ... trait implementations
unsafe impl SendSyncTrusted for MyType {}
macro containing an unsafe keyword
macro_rules! unsafe_macro { ($v:expr) => { unsafe { std::str::from_utf8_unchecked($v) } } }
rust-unsafe-analyzer is a syntactic AST parser (syn), not a full compiler frontend or semantic analyzer (rustc / miri). Therefore, there are specific limitations on what it can detect:
Macro Expansions & Generated Code
macro_rules! or procedural macro) generates an unsafe block or function inside its expansion, rust-unsafe-analyzer cannot inspect the post-expansion AST unless the macro invocation itself explicitly includes an unsafe token in its arguments in the source file.Indirect Unsafety & Safety Invariants in Safe Code
unsafe blocks. Modifying a safe helper function that breaks an assumption relied upon by an existing untouched unsafe block will not be flagged unless the line containing the unsafe keyword itself is modified.External C FFI / Foreign Module Items (extern "C")
extern "C" { ... } block (ItemForeignMod) are implicitly unsafe to call in Rust, but the declaration itself does not use the unsafe keyword. The tool flags the caller (unsafe { ... } block invoking the extern function), but not the bare extern block declaration.Semantic Soundness or Undefined Behavior
unsafe block is sound, whether invariants are documented, or whether pointers are valid. Its sole purpose is to detect the syntactic presence of new/modified unsafe constructs and require human expert review.Unit tests verify AST detection across all UnsafeKind categories and assert on the complete Finding struct (path, kind, line, end_line, col, end_col, unsafe_line, and message).
Run tests using:
% fx test --host rust-unsafe-analyzer-test
To run the analyzer binary directly against a set of Rust source files:
% fx host-tool shac check --only rust_unsafe_analyzer
It outputs any findings to stdout.